Photo Credit in Picture (there is no affiliation between this entity and Zerononcense)

In the course of general research, Zerononcense recently came across a report titled, ‘Reverse Engineering of the Anubis Malware — Part 1’, which presented information about malware that has been wreaking havoc on Android devices throughout 2019, which was dubbed, ‘Anubis’. While the malware was not created specifically to target the blockchain space, the virus is extremely well-engineered, sophisticated, dangerous, and highly targeted, with those that engage in financial-related activities being at the greatest risk.

Specifically, those that engage in any activity related to banking, using exchanges, or even checking cryptocurrency prices are at significant risk if they have been infected with this virus.

The first report (cited in the first paragraph) that this article will use as reference was published by a French cybersecurity researcher writing under the pseudonym, ‘Elliot Alderson’. That report provides general background information about the virus (Anubis), its origin, means of execution and insertion, and also some of this viruses detected targets.

The second report that this piece will strongly source for information is titled, ‘Anubis II — malware and afterlife’, which was published by the cybersecurity firm, ‘ThreatFabric’. That report provides further information regarding the features of Anubis and covers some of the gaps in coverage from the first report.

For more comprehensive coverage of this virus, users should check the following links:

Explaining What the ‘Anubis’ Virus is and What it Does

Below is an excerpt from second report, which provides a description of the virus:

“Anubis II is the Android banking Trojan created and advertised by an actor with the nickname ‘maza-in’. This malware family goes beyond the well-known overlay attacks by combining advanced features such as screen streaming, remote file browsing, sound recording, keylogging and even a network proxy, making it an efficient banking malware but also a potential spying tool. Effectively, Anubis can be considered one of the most used Android banking Trojans since late 2017.”

Essentially, Anubis ‘spoofs’ certain websites and applications, using a variety of sophisticated methods that are designed to make detection without the aid of accompanying software (Anti-Virus) near impossible. According to ‘ThreatFabric’, the malware can effectively steal, ‘online banking credentials’, ‘banking security codes’, and ‘even credit card details’.

Based on Zerononcense’s assessment of the virus’ capabilities, the dangers of this virus are vastly understated by ThreatFabric.

It is worth noting that the outlined capabilities above expose users to a countless number of attacks that would render many of the best safeguards entirely obsolete. Specifically, the malware’s capabilities allow the operators of the malware to effectively implement a ‘man-in-the-middle’ attack with ease. An effective man-in-the-middle attack can render 2FA (two-factor authentication) virtually useless, even if a time-based code generator like the Google Authenticator, for instance, is employed.

In addition, the malware would also be able to implement a ‘timing attack’. This is significant because an effective timing attack can render encryption as strong as ECDSA (digital signing algorithm), which is one of the cryptographic standards that Bitcoin uses.

To be clear, this does not mean that this virus has the ability to compromise Bitcoin itself or even ‘break’ the encryption. Bitcoin was merely mentioned as a familiar reference in this case.

Below is a study published in 2011, by the Aalto University School of Science in Finland that outlines how remote timing attacks can be used to compromise the security of various cryptographic signatures (depending on the efficacy of implementation and how it was implemented):

The video provides a visual for those that prefer to receive information in that format.

Methods of Infection and Insertion

The primary platform that Anubis used to infect users was the Google Play store (Android). There are a host of alleged security flaws in the Google Play store that the malware operators were able to exploit in order to infect Android devices via downloads of applications that appeared to be legitimate on the store.

Targets of Anubis

ThreatFabric lists a total of 378 entities that it determined Anubis was targeting, specifically.

Nearly all of these targets were in the financial sphere in some capacity. Targets included crypto exchanges, traditional banking websites and applications, alternative finance, and other popular applications related to banking, trading, or finance.

Clarifying the Term ‘Target’

To be specific, in this section of the report, the list of ‘targets’ (financial & blockchain applications) does not mean that the entities listed are being attacked directly. The entity that has been compromised in this situation is the infected user device.

However, the virus does not become active until the user decides to visit one of these sites. The virus is programmed to begin executing its script remotely to begin extracting details from users as soon as they visit these sites using one of the many methods that was mentioned in the previous section. Thus, the virus is ‘targeting’ certain sites as the platforms that they wish to infiltrate via compromising the platform’s users first.

Since the majority of Zerononcense’s audience is in the blockchain sphere, the below list will contain targets that Zerononcense identified as blockchain-related entities (the full list can be found here).

Entity names will be posted below with the specific ‘package name’ in parenthesis: